<div dir="ltr">Sounds good</div><div class="gmail_extra"><br><div class="gmail_quote">On 29 November 2015 at 21:27, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 27/11/15 11:52, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Is direct grant and implicit disabled by
default?</div>
</div>
</div>
</div>
</blockquote>
</span> Implicit is disabled, but direct grant is enabled by
default. This is just for backwards compatibility, as in 1.6,
we have direct grant defacto enabled for all clients. If we
want to have it disabled by default, we should add big note to
migration docs. Or we can have it enabled for all clients
migrated from previous version, but keep the switch "off" in
admin console for new clients?<br>
</div>
</blockquote>
<div><br>
</div>
<div>On for old, off for new works for me.</div>
</blockquote></span>
Thinking that it's a bit tricky... For example if you import
testrealm.json with demo example, the direct grants will be enabled
for all clients, but at the same time the switch for newly created
clients will be disabled. Looks strange to me.<br>
<br>
I wonder that for migration, it is more proper to enable direct
grants just for the clients, which have "directGrantsOnly" switch
enabled? Those are most likely clients, which were in previous
version used for direct grants usecase<span class=""><br>
<blockquote type="cite">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
At least, we have people, who wants to login into admin REST
API by default (without need to go to admin-console UI first
and enable direct grant for some client), so I guess this
possibility should be still kept.</div>
</blockquote>
<div><br>
</div>
<div>In reality they should not be using the admin console client
to do so. They should create a separate client for it I think.
We need to sort out some sort of bootstrapping for it though. Or
maybe we have a admin-cli client?</div>
</blockquote></span>
+1 for admin-cli client.<br>
<br>
So how about this:<br>
- new clients will have "direct access grant" switch off by default<br>
- Clients migrated from previous version will have "direct access
grant" just if they had "direct grants only" enabled. So those
clients will have "standard=off, direct access grants=on"<br>
- New builtin client "admin-cli" will be added to each realm. It
will be public client with "standard=off, implicit=off,
directAccessGrants=on" and will have same scope like current
"security-admin-console"<br>
- security-admin-console will have directAccessGrants=off . This
will be done automatically during migration from previous version
(as it has directGrantsOnly=off in 1.6.1).<br>
- Big note will be added to migration guide<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek<br>
<br>
</font></span></div>
</blockquote></div><br></div>